Termine
Publikationen
Publikationen
27.01.2020
Wie Unternehmen verantwortungsvoll mit Daten und Plattformen umgehen
Leitlinien der deutschen Elektroindustrie
Vorbemerkung
Mit der Digitalisierung findet ein grundlegender Strukturwandel in Wirtschaft und Gesellschaft statt. Die deutsche Elektroindustrie, die mit ihren Produkten und Lösungen Bindeglied zwischen analoger und digitaler Welt ist, gestaltet diesen Wandel aktiv mit.
Die Digitalisierung der Wirtschaft ist die Voraussetzung, um stabil und nachhaltig zu wachsen, sie schafft einen Mehrwert für die Gesellschaft und trägt zur Lösung globaler Herausforderungen bei. Digitalwirtschaft im industriellen Sektor bedeutet, die Konnektivität sowohl von einzelnen Produkten als auch ganzer Infrastrukturen herzustellen, die über Unternehmen hinausgehen und Lieferanten und Kunden einschließen können.
Der „Rohstoff“ der digitalisierten Wirtschaft sind Daten. Heute nutzen Unternehmen der Elektroindustrie diese vor allem dafür, bestehende Geschäftsmodelle und Prozesse zu optimieren. Zunehmend jedoch dienen die Daten auch der Entwicklung neuer Geschäftsmodelle. Dadurch entstehen neue Wertschöpfungsstrukturen und Partnernetzwerke.
Dabei kommt digitalen Plattformen auch im industriellen Kontext ein besonders hoher Stellenwert zu. Sie sind die Drehscheiben, auf denen Marktteilnehmer Daten nutzen und austauschen. Kleinen und mittleren Unternehmen (KMU) und Start-ups bieten offene Plattformen eine Chance, sich in die neu entstehenden Ökosysteme einzubringen. Aber die Nutzung und Verarbeitung von Daten und der Betrieb von Plattformen können auch zu Missbrauch und Konflikten führen.
Um das Potenzial von Daten und Plattformen nutzen zu können, ist neben klaren rechtlichen Regelungen vor allem auch der Aufbau von Vertrauen erforderlich. Dafür ist ein gemeinsames Wertefundament nötig, das im praktischen Handeln konsequent umgesetzt wird.
In Deutschland und Europa steht immer der Mensch im Mittelpunkt und mit ihm die aus dem Schutz der Menschenwürde abgeleiteten Grundrechte. Hierbei kommen im Hinblick auf Daten und Plattformen vor allem dem Schutz der Privatsphäre und dem Schutz personenbezogener Daten besondere Bedeutung zu. Zu unserem Wertefundament zählen zudem die Regeln der sozialen Marktwirtschaft, die einen fairen Wettbewerb definieren, sowie die Umsetzung der globalen Nachhaltigkeitsziele der Vereinten Nationen. Hierin sehen wir das Wertefundament der Elektroindustrie, das unser Handeln leitet und das wir im internationalen Wettbewerb zur Geltung bringen.
Die vorliegenden Leitlinien konkretisieren auf Basis dieses Wertefundaments, woran sich die Elektroindustrie bei der Nutzung von Daten und bei der Gestaltung von Plattformen orientiert.
Wir verstehen die Formulierung der Leitlinien als kontinuierlichen Prozess und als Gesprächsangebot. Auf Grundlage der Leitlinien werden wir uns aktiv in den Dialog über die Rahmenbedingungen der Digitalwirtschaft einbringen. Dass die Leitlinien praktisch umgesetzt werden, verdeutlichen die Beispiele aus der Unternehmenspraxis von ZVEI-Mitgliedsunternehmen im Anhang.
Mit Fallbeispielen
Zehn Leitlinien zum verantwortungsvollen Umgang mit Daten und Plattformen
1. Personal data is worth of particular protection
Companies in Germany's electrical industry consider the individual's self-determination of their own data a central basis for the digital economy. We see the requirements for data protection set out in the General Data Protection Regulation (GDPR) as a competitive advantage in the global competition.
Case studies from practice
Case study 1: Befund24
Befund24 has set up a marketplace for the mediation of remote diagnosis services in the health sector. To protect personal data, the platform operates according to the basic principle of "privacy by design and by default" in accordance with Article 25 of the General Data Protection Regulation (GDPR). The development of the Befund24 marketplace solution is based on the Siemens Healthineers cybersecurity development process, which includes a threat and risk analysis (TRA), the implementation of security standards and security checks. In addition, external penetration tests are carried out regularly. Patient data is always encrypted in the Befund24 cloud. Patients can assert any claims for information against the hospital or the creator of the findings report.
Further information
Case study 2: Bundesdruckerei
In future, Bundesdruckerei will offer data trustee services in the healthcare sector (pseudonymisation, authorisation and consent management) as a service via a digital platform. With the help of a trusted third party, personal data and pseudonyms can be managed securely. Only pseudonyms are assigned to the user data. By means of an authorization management the data provider can decide who receives which data for inspection or revoke this authorization.
Further information
Case study 3: Eaton
Eaton has introduced a uniform, companywide policy for personal data protection. Since the Group operates globally, and there is no robust international legislation on personal data protection, Eaton has introduced a policy that applies to all sites and subsidiaries worldwide and is based on the General Data Protection Regulation (GDPR). This is intended to ensure that the personal data of customers and employees worldwide is handled in accordance with the highest security standards currently available.
Further information
Case study 4: Siemens
Siemens is implementing a uniform data protection solution for MindSphere worldwide, which was developed in accordance with the standards of the General Data Protection Regulation (GDPR). With MindSphere Data Privacy Terms, every customer is offered the conclusion of contractual clauses that give them full control over the content with personal data processed on MindSphere. This includes transparency of all sub-service providers used with access to personal data and audit rights in order to be able to check compliance with contractual promises and data protection requirements. The MindSphere Data Privacy Terms apply worldwide and thus enable compliance with European data protection law as well as local data protection requirements in other jurisdictions.
Further information
https://www.plm.automation.siemens.com/media/global/en/Siemens_MindSphere_Whitepaper_tcm27-9395.pdf
2. Enabling fair access to data
In principle, each generator of data should be able to decide how to handle the data it generates. ZVEI rejects the monopolization of data and the creation of new legislation for data ownership rights. Access to and use of data should be organized between partners freely and in fair contracts that take the interests of both sides into account in an appropriate manner. This ensures that customers and business partners can determine and control which data is accessed and for what purpose it is used..
Case studies from practice
Case study 1: Bundesdruckerei
Bundesdruckerei offers itself as a trusted partner to facilitate the exchange of data between organisations. This is because if organisations do not fully trust each other when exchanging data or if direct data exchange is not technically or legally possible, this can prevent the development of data-driven business models. As a trusted partner of both organizations, the data trustee intervenes in between. The original data is transferred to the data custodian and analysed and processed according to the agreed data governance. Only the result is passed on to the authorised organisation.
Further information
Case study 2: Osram
Osram has established the Lightelligence software platform, which enables cloud-based collection and analysis of a wide range of data from various sources. Only the respective customers themselves have control over their data. A granular, transparent authorization concept ensures that data is not released to third parties unintentionally. In addition, it is possible to give the applications of third parties only those rights that are necessary for their function. There is a strict separation between individual customers, which is verified by various technical measures and tested regularly. Osram does not access or use customer data for its own purposes.
Further information
3. Promoting data security through security by design and security lifecycle management
Basic requirements for the sharing and use of data are: Access that is protected against misuse; secure processing, storage and handling of data; and the maintenance of its integrity and confidentiality. Companies in the electrical industry are therefore committed to promote security as comprehensively as possible through a holistic approach. This includes both security by design in the development phase and security lifecycle management throughout the entire product and data lifecycle.
Unauthorized access must be countered with the fastest possible response.
Case studies from practice
Case study 1: Befund24
Befund24 has set up a marketplace for the mediation of remote diagnosis services in the health sector. To protect personal data, the platform operates according to the basic principle of „privacy by design and by default“ in accordance with Article 25 of the General Data Protection Regulation (GDPR). The development of the Befund24 marketplace solution is based on the Siemens Healthi- neers cybersecurity development process, which includes a threat and risk analysis (TRA), the imple- mentation of security standards and security checks. In addition, external penetration tests are car- ried out regularly. Patient data is always encrypted in the Befund24 cloud. Patients can assert any claims for information against the hospital or the creator of the findings report.
Further Information
Case study 2: Eaton
At Eaton, every digitally controlled or networked product or system is tested by a global Center of Excellence (CoE) for product cybersecurity as part of the cybersecurity life-cycle before being launched to the market. The CoE, together with the product managers, acts as an approval body.
Further information
https://www.eaton.com/us/en-us/markets/innovation-stories/Managing-Cybersecurity-Risks.html
Case study 3: Infineon
The high safety requirements for automated and networked vehicles have a major influence on the design of Infineon chips as the smallest electronic elements in the vehicle. In modern vehicles with 100 or more ECUs, so-called security anchors protect against manipulation or theft of data. These semiconductor chips with highly secure encryption mechanisms are either directly integrated into the numerous microcontrollers or built in as discrete security controllers. These chips protect against manipulation and intrusion attempts, so that a violation of data security can be fended off.
Further information
https://www.infineon.com/cms/de/discoveries/Fahrzeugsicherheit/?redirId=38066
Case study 4: Phoenix Contact
Phoenix Contact takes security requirements for software and hardware into account as early as the development phase of a product. For automation solutions, a security concept with the necessary protective measures is developed. Both are carried out in accordance with the international IEC 62443 series of standards. Phoenix Contact has also established a team as a contact partner for users who discover security gaps and actively informs them about known safety gaps. The Product Security Incident Response Team (PSIRT) adheres to the process chain of the standard series when processing, evaluating and publishing reports and updates.
Further information
Case study 5: Siemens
Siemens has established ten principles for cyber security in its "Charter of Trust". These include the principle of "Taking Responsibility in the Digital Supply Chain". This means, for example, that security must also be anchored in the value network with suppliers. To ensure this, a roll-out was started, which includes corresponding terms and conditions in all purchasing contracts and the qualification of 300 pilot suppliers. Siemens supports business partners and suppliers in implementing the "Roadmap to Compliance" with the necessary security levels, including external certification.
Further information
4. Turning data into information - This added value is an economically significant asset of companies
Digital value creation is based substantially on the processing and evaluation of data, for example through data analysis techniques or the application of artificial intelligence. We consider digital value creation through data processing and evaluation as an economically significant asset worthy of protection. This creates an incentive for innovation and at the same time protects investments.
Case studies from practice
Case study 1: ABB
The ABB AbilityTM Collaborative Operations Centers (COC) offers a new form of cooperation in digital services. ABB experts use secure cloud-based applications with which they collect, combine, analyze and visualize plant data 24/7 up to proactive reporting, depending on the scope of services. Customers can thus fast and efficiently obtain decision documents to improve their plant availability, production throughput or product quality, thus increasing their cost efficiency and the performance of their operating processes. Mass data from the plants or fleets is linked with in-depth industry-specific knowledge. The aim is to create new value creation potential together with customers.
Further information
Case study 2: Siemens
One example of value added derived from data is data-based condition-based maintenance, which allows the condition values of a field device to be analyzed in the central maintenance management system.
If operating data is collected from a fleet of machines, data analysis can be used to determine sensible maintenance times. The underlying evaluation procedures can be protectable. Siemens holds patents for this in the area of "Systems and methods for condition-based maintenance".
5. Supporting the portability and interoperability of data used for competitive purposes
The companies in Germany's electrical industry actively promote competition. The ability to use data across different generation and application contexts in parallel can be achieved by supporting data portability through interoperable data formats and information models based on freely accessible standards. In this way, data exchange or data pooling between different providers is possible, thus promoting competition.
Case studies from practice
Case study 1: ABB
ABB supports the development of the Asset Administration Shell concept and incorporates it into its own device and platform developments. The Asset Administration Shell allows data and services from IIoT devices to be connected via a unified interface, regardless of the device manufacturer. In addi- tion, device properties can be exchanged across manufacturers in a standardized way using eCl@ss.
Further information
Case study 2: Infineon
In 2018, Infineon launched a so-called Trusted Platform Module (TPM) specifically for automotive applications. The external communication of a vehicle is protected by the TPM - a kind of vault - which generates, stores, distributes and manages cryptographic keys, for example. The TPM complies with international standards (ISO/IEC 11889) and thus contributes significantly to the portability and interoperability of data.
Further information
Case study 3: Siemens
Siemens MindSphere offers open, bi-directional communication at every interface and can be integ- rated with applications, machines, enterprise IT systems and other IT platforms. Customers also have the option of designing the data models according to their own wishes or removing data from the backend. With IDL (Integrated Data Lake) and EDI (Enterprise Data Interconnect), Siemens also offers a methodology for using data from other data lakes for MindSphere applications without changing their storage location.
Further information
https://www.plm.automation.siemens.com/media/global/en/Siemens_MindSphere_Whitepaper_tcm27-9395.pdf
6. Promoting the sustainable use of data
ZVEI is committed to the widest possible access to and sustainable use of non-personal data or anonymized data for the common good of society and for achieving global sustainability goals. Due consideration must be given at the same time to economic interests and the costs associated with the provision of the data.
Case studies from practice
Case study: BLIDS
BLIDS, the Lightning Information Service from Siemens, locates lightning storms in Germany and other European countries.
In addition to the paid subscription, the BLIDS spy provides a set of free overview thunderstorm maps for Germany and other European countries. Based on over 155 measuring stations distributed throughout Europe, lightning strikes can be located with an accuracy of up to 200 meters. Siemens will provide an updated map every 15 minutes via BLIDS Spion, showing all lightning strikes of the last two hours.
Further information
https://new.siemens.com/global/de/produkte/services/blids.html
7. Enhancing open innovation and co-creation
In the data-driven digital economy, value chains become flexible value creation networks with new partner constellations. New business models often go hand in hand with changing constellations of actors and are often embedded in newly emerging ecosystems. These offer start-ups, SMEs and large companies’ opportunities to participate jointly in digital value creation. In this context, the protec- tion of the intellectual property of the respective partners must be ensured.
In order to support the development of such ecosystems, ZVEI is committed to new forms of coope- ration and approaches such as open innovation and co-creation, in which the customer or supplier becomes the innovation partner.
Case studies from practice
Case study 1: ABB
ABB supports its customers in the digitalization of business processes. In co-creation workshops, customers can transform their ideas into digital solutions together with the respective ABB business units. The workshops are tailored for each customer depending on the industry, topic and problem definition. The customer is involved in the innovation process right from the beginning by means of „Design Thinking“. The newly developed solutions and business models can thus be tested more easily.
Further information
https://new.abb.com/news/detail/18797/lets-shape-the-digital-world-of-the- future-together
Case study 2: Phoenix Contact
Phoenix Contact has set up an open webstore for solutions from various suppliers for the PLCnext control platform. The PLCnext Store provides software applications with which interested parties can functionally expand a PLCnext controller and then offer it for sale. The PLCnext Store provides users with a variety of apps - from software libraries for accelerated programming to pre-programmed apps that do not require programming knowledge to use.
Further information
8. Enable participation in digital platform
Industrial platforms should provide non-discriminatory access to all interested parties. Quality stan- dards or technological prerequisites may have to be defined to ensure security and functionality of the platform (for example by the certification of components); however, these must not be unilateral at the expense of individual market participants.
Case studies from practice
Case study 1: Bundesdruckerei
In future, Bundesdruckerei will offer data trustee services in the healthcare sector (pseudonymisation, authorisation and consent management) as a service via a digital platform. With the help of a trusted third party, personal data and pseudonyms can be managed securely. Only pseudonyms are assigned to the user data. By means of an authorization management the data provider can decide who recei- ves which data for inspection or revoke this authorization.
Further information
Case study 2: Protiq
Protiq offers an open platform for 3D printing. The digital business model of the manufacturer of 3D printing in plastic, ceramics and metal involves the customer configuring, ordering and paying online. Protiq also operates an open portal where various service providers can offer their 3D printing services. On the marketplace, the customer is free to choose which service provider should complete his order.
Further information
Case study 3: Siemens
Third-party vendors are enabled to develop their own data-based business models through non-pro- prietary access to the Siemens MindSphere platform. For this purpose, third-party providers can use open interfaces and flexible connectivity solutions for machines (cross-vendor and with any protocols or communication standards) as well as for various software systems (e.g. ERP, MES):
In addition, the MindSphere Store will provide third parties with a secure distribution platform for industrial applications and digital services.
Further information
https://www.plm.automation.siemens.com/media/global/en/Siemens_MindSphere_Whitepaper_tcm27-9395.pdf
9. Promoting transparent operation of digital platforms
A platform interconnects different stakeholders, which can pursue different interests. This also inclu- des the operator of the platform. The platform operator has the task of making these interests as transparent as possible to all platform users. This is particularly the case when the content or functio- nality of the platform are influenced by the interests of individual actors, such as the order of search results. By the provision of suitable opt-in/opt-out functions, platform users should be given the opportunity to track and control the use and exploitation of the data they contribute in the platform operation in a differentiated manner.
Case studies from practice
Case study 1: ABB
The ABB Ability™ Data Manifesto serves as a starting point for discussions about new digital solutions and is intended to form the basic values for a trustful cooperation in digitalization. It describes three aspects that customer data are not becoming the property of ABB, that the customer always knows what ABB is doing with their data, and that the data are not passed on without the explicit consent of the customer, regardless of whether it is personal data or machine data.
Further information
Case study 2: Protiq
Protiq offers an open platform for 3D printing. The digital business model of the manufacturer of 3D printing in plastic, ceramics and metal involves the customer configuring, ordering and paying online. Protiq also operates an open portal where various service providers can offer their 3D printing services. On the marketplace, the customer is free to choose which service provider should complete his order.
Further information
10. Enabling fair competition between digital platforms
Member companies ZVEI are actively committed to fair and innovation-promoting international competition between platforms. The design of platforms should therefore prevent the creation of anti- competitive lock-in mechanisms that artificially obstruct users from switching to other platforms. In particular, the migration capability of data should be ensured, and the simultaneous use of multiple platforms should be made possible.
Case studies from practice
Case study: ABB
ABB supports the development of the Asset Administration Shell concept and incorporates it into its own device and platform developments. The Asset Administration Shell allows data and services from IIoT devices to be connected via a unified interface, regardless of the device manufacturer. In addi- tion, device properties can be exchanged across manufacturers in a standardized way using eCl@ss.
Further information